zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff1f4bd119e294e82b366862d68e24bd48aac597
gh-agentsecops-secopsagentkit/skills/incident-response/forensics-osquery/assets/osquery.conf
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

78 lines
2.7 KiB
Plaintext
Raw Blame History

{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": false,
"log_result_events": true,
"schedule_splay_percent": 10,
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": 3600,
"database_path": "/var/osquery/osquery.db",
"verbose": false,
"worker_threads": 4,
"enable_monitor": true,
"disable_events": false,
"disable_audit": false,
"audit_allow_config": true,
"audit_allow_sockets": true,
"host_identifier": "hostname",
"enable_syslog": false,
"watchdog_level": 1,
"watchdog_memory_limit": 250,
"watchdog_utilization_limit": 20
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory, hardware_model FROM system_info;",
"interval": 3600,
"description": "Collect basic system information"
},
"os_version": {
"query": "SELECT name, version, platform, build FROM os_version;",
"interval": 3600,
"description": "OS version information"
},
"logged_in_users": {
"query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
"interval": 600,
"description": "Currently logged-in users"
},
"running_processes": {
"query": "SELECT pid, name, path, cmdline, uid, parent FROM processes;",
"interval": 300,
"description": "Monitor running processes"
},
"suspicious_processes": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0 OR path LIKE '%/tmp/%' OR path LIKE '%Temp%';",
"interval": 300,
"description": "Detect suspicious processes"
},
"network_connections": {
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
"interval": 600,
"description": "Active network connections"
},
"listening_ports": {
"query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
"interval": 600,
"description": "Listening network ports"
}
},
"packs": {
"ir-triage": "/etc/osquery/packs/ir-triage.conf",
"persistence-hunt": "/etc/osquery/packs/persistence-hunt.conf",
"lateral-movement": "/etc/osquery/packs/lateral-movement.conf",
"credential-access": "/etc/osquery/packs/credential-access.conf"
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
}
}
Reference in New Issue View Git Blame Copy Permalink